From lzjun at dislab.nju.edu.cn Wed Jul 5 22:55:34 2000 From: lzjun at dislab.nju.edu.cn (lzjun) Date: Thu, 06 Jul 2000 13:55:34 +0800 Subject: whether the bro 0.7 has been released and where to get it? Message-ID: <39641F55.5F23F496@dislab.nju.edu.cn> From lzjun at dislab.nju.edu.cn Wed Jul 5 23:03:46 2000 From: lzjun at dislab.nju.edu.cn (lzjun) Date: Thu, 06 Jul 2000 14:03:46 +0800 Subject: Is there a tool to compile policy-script? Message-ID: <39642142.F199871D@dislab.nju.edu.cn> Hi, I have successfully run the bro0.6. But it now can detect little intrusions and it is difficult for me to list all the intrusions only myself. Is there some intrusions .bro which had collect some intrude behavior? thanks. From vern at ee.lbl.gov Wed Jul 5 23:03:26 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Wed, 05 Jul 2000 23:03:26 PDT Subject: whether the bro 0.7 has been released and where to get it? In-Reply-To: Your message of Thu, 06 Jul 2000 13:55:34 PDT. Message-ID: <200007060603.e6663Q510374@daffy.ee.lbl.gov> It has not yet been released. I am thinking of waiting on the release until I can finish a draft of the first part of the user manual (describing the language in detail). If enough people are interested in the new release right now, though, then I'll put it together without waiting on the manual. There are a lot of new features, but without documentation for them, using them remains challenging! Vern From vern at ee.lbl.gov Wed Jul 5 23:04:39 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Wed, 05 Jul 2000 23:04:39 PDT Subject: how to add more .bro files in bro? In-Reply-To: Your message of Wed, 21 Jun 2000 17:49:08 PDT. Message-ID: <200007060604.e6664da10405@daffy.ee.lbl.gov> > When I want to use more .bro files, such as: > ./bro -i eth0 ftp.bro http.bro, > then the program tell me that it can't go on when it analy the http.bro. How exactly does it tell you that "it can't go on"? Because the above should work (assuming you don't in fact have a comma after "http.bro"); or, more specifically, ./bro -i eth0 mt.bro http.bro should work. Vern From vern at ee.lbl.gov Wed Jul 5 23:06:14 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Wed, 05 Jul 2000 23:06:14 PDT Subject: Is there a tool to compile policy-script? In-Reply-To: Your message of Thu, 06 Jul 2000 14:03:46 PDT. Message-ID: <200007060606.e6666El10437@daffy.ee.lbl.gov> > I have successfully run the bro0.6. But it now can detect little > intrusions and it is difficult for me to list all the intrusions only > myself. Is there some intrusions .bro which had collect some intrude > behavior? I don't really understand your question, but all of the publicly available .bro files are included in the distribution. To see what real-time alerts are genrated, search for uses of the "log" statement. Vern From mazequest at hotmail.com Thu Jul 6 19:23:27 2000 From: mazequest at hotmail.com (Kyle C Quest) Date: Fri, 07 Jul 2000 02:23:27 GMT Subject: whether the bro 0.7 has been released and where to get it? Message-ID: <20000707022327.105.qmail@hotmail.com> I know it's not a part of a user manual, but I wonder if you plan to have Object Model Diagram for bro as part of your overall documentation? I remember somebody expressed interest in making an OMD. Did anything come out of it? I have created an OMD for bro as part of my bro design evaluation. It's just a draft (there could be a lot of mistakes...) with all the classes and associations, but without attributes and behaviors included (I refer to code when I need those...). If you don't already have an OMD done or almost done, I could revise my OMD and submit it for your review so it could be a part of bro's design documentation. Kyle ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From vern at ee.lbl.gov Tue Jul 11 00:10:00 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 11 Jul 2000 00:10:00 PDT Subject: whether the bro 0.7 has been released and where to get it? In-Reply-To: Your message of Fri, 07 Jul 2000 02:23:27 PST. Message-ID: <200007110710.e6B7A0Y29741@daffy.ee.lbl.gov> > I know it's not a part of a user manual, but I wonder if you plan > to have Object Model Diagram for bro as part of your overall documentation? I hadn't planned on doing one, and don't think anyone else is working on one. If you want to contribute a revised version of yours, please do so. Vern From mazequest at hotmail.com Thu Jul 13 15:32:30 2000 From: mazequest at hotmail.com (Kyle C Quest) Date: Thu, 13 Jul 2000 22:32:30 GMT Subject: bro OMD Message-ID: <20000713223231.38604.qmail@hotmail.com> Hi everybody ;-] A few people wanted to get their hands on my bro OMD draft. I turned my paper version into a more computer friendly form last night. Unfortunatly, the diagraming program I used is win app ;-[ , so to modify the omd one needs to have program called Plastic... I never used diagramming tools in Unix (there's UML Argo, but I wonder if there's something better out there ???). The revised version of OMD will probably be done with some other tool(Argo, if I like it after I try it...). Once again, I would like to stress that there's a lot of mistakes on the diagram draft (especially, when it comes to collections use and things that I considered dynamic arrays by accident...). The omd draft is big (even though there's no attributes and behaviors). http://unital.freeyellow.com/brodomdoverview.jpg - big picture of diagram http://unital.freeyellow.com/bdomdj1.jpg - small picture of diagram http://unital.freeyellow.com/brodomd1.pcl - bro omd plastic file http://unital.freeyellow.com/plastic.zip - the program I used for draft. Kyle ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From eric.gauthier at orange.ch Mon Jul 24 01:08:44 2000 From: eric.gauthier at orange.ch (Gauthier Eric) Date: Mon, 24 Jul 2000 10:08:44 +0200 Subject: Gigabit link monitoring Message-ID: <0104847773B2D3119AA300105AF2E18E42C88E@vdlaexc3.orange.ch> Dear Bro users, I am new to the field of intrusion detection. I would like to use Bro to monitor a Gigabit ethernet link. What type of hardware should I use in order to guarantee no packet filter drops? Regards, Eric Gauthier > eric.gauthier at orange.ch > Orange Communications SA > TEL: +41.21.216.53.08 > > > > From bmorin at supelec-rennes.fr Mon Jul 24 02:58:01 2000 From: bmorin at supelec-rennes.fr (Benjamin Morin) Date: Mon, 24 Jul 2000 11:58:01 +0200 Subject: DNS Message-ID: <397C1329.4E57F2FD@supelec-rennes.fr> Hello, I am trying to run bro on a Linux 2.2.14 intel box. If I try to use any of the ".bro" file, I get this error : hot, line 33: internal error: NB-DNS error in DNS_Mgr::WaitForReplies Aborted Could anyone help me to correct this? Thanks From utacse at hotmail.com Mon Jul 24 08:43:46 2000 From: utacse at hotmail.com (Krishna Kumar) Date: Mon, 24 Jul 2000 10:43:46 -0500 Subject: Where can i get bro ? References: <397C1329.4E57F2FD@supelec-rennes.fr> Message-ID: Hello People, This may seem a very naive question, but I would deeply appreciate it if someone could tell me where I could get a copy of bro for use in my masters project on network intrusion detection. All help would be sincerely appreciated. Thanks in advance Krishna From mazequest at hotmail.com Mon Jul 24 12:43:49 2000 From: mazequest at hotmail.com (Kyle C Quest) Date: Mon, 24 Jul 2000 19:43:49 GMT Subject: Gigabit link monitoring Message-ID: <20000724194349.27437.qmail@hotmail.com> Vern would be the best person to give an answer for this question... but I can also help (in a way ;-])... Bro uses libpcap packet capture library... the library uses different ways to capture packets on various OS platforms... If I'm not mistaken, for fast networks it's better to use BSD derived operating systems (OpenBSD, FreeBSD...) because they use BPF packet filtering mechanism that is part of operating system... and as far as I know BPF provides the best performance... however, I'm sure that even BPF's performance would not be enough for gigabits network... Unless BPF+ replaced the original BPF implementation, there's no way bro can sustain gigabits speed. Anyways, if you choose to use bro, don't use Linux, because it is possibly the slowest platform to run bro... Kyle ======================================================= >Dear Bro users, > >I am new to the field of intrusion detection. I would like to use >Bro to monitor a Gigabit ethernet link. What type of hardware >should I use in order to guarantee no packet filter drops? > >Regards, > >Eric Gauthier ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From vern at ee.lbl.gov Mon Jul 24 17:00:31 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Mon, 24 Jul 2000 17:00:31 PDT Subject: Where can i get bro ? In-Reply-To: Your message of Mon, 24 Jul 2000 10:43:46 PDT. Message-ID: <200007250000.e6P00Vm23578@daffy.ee.lbl.gov> > This may seem a very naive question, but I would deeply appreciate it if > someone could tell me where I could get a copy of bro for use in my masters > project on network intrusion detection. It's available from ftp://ftp.ee.lbl.gov/.vp-bro-0.6-alpha.tar.gz You'll need libpcap (also available from ftp.ee.lbl.gov) if your system doesn't already come with it. I'm working on a Bro user's manual, but it's not yet ready for pre-release. Vern From vern at ee.lbl.gov Tue Jul 25 00:30:12 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 25 Jul 2000 00:30:12 PDT Subject: Gigabit link monitoring In-Reply-To: Your message of Mon, 24 Jul 2000 19:43:49 PST. Message-ID: <200007250730.e6P7UCN24304@daffy.ee.lbl.gov> > Bro uses libpcap packet capture library... the library uses > different ways to capture packets on various OS platforms... > If I'm not mistaken, for fast networks it's better to use > BSD derived operating systems (OpenBSD, FreeBSD...) because > they use BPF packet filtering mechanism that is part of operating > system... and as far as I know BPF provides the best performance... Right. > however, I'm sure that even BPF's performance would not be enough > for gigabits network... Unless BPF+ replaced the original BPF > implementation, there's no way bro can sustain gigabits speed. What's crucial is the make-up of the traffic: how much is there, how much of it matches the filter, and what sort of analysis has to be performed for the captured traffic. We currently have several Bro's monitoring GigEther links. They don't usually have trouble keeping up, and this is running on old hardware. However, even LBL's access link is nowhere close to saturated. (Bro on that hardware could not keep up with a significantly higher traffic flow. We have newer hardware coming in, though, which I'm betting can.) The one trick we use is large kernel BPF buffers, and making sure that libpcap doesn't limit the buffer size. This wasn't that important for 100 Mbps, but is crucial for Gbps. Vern From vern at ee.lbl.gov Tue Jul 25 00:33:35 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 25 Jul 2000 00:33:35 PDT Subject: DNS In-Reply-To: Your message of Mon, 24 Jul 2000 11:58:01 PDT. Message-ID: <200007250733.e6P7XZ624367@daffy.ee.lbl.gov> > I am trying to run bro on a Linux 2.2.14 intel box. If I try to use any > of the ".bro" file, I get this error : > > hot, line 33: internal error: NB-DNS error in DNS_Mgr::WaitForReplies > Aborted > > Could anyone help me to correct this? The message means that a call to nb_dns_activity() (in nb_dns.c) is failing. Unfortunately, this problem isn't familiar to me, so you'll have to use a debugger to find out what's going on. I don't know how difficult that will be. Vern From maligned at attcanada.net Tue Jul 25 01:35:14 2000 From: maligned at attcanada.net (Jonathan Smith) Date: Tue, 25 Jul 2000 02:35:14 -0600 Subject: DNS References: <200007250733.e6P7XZ624367@daffy.ee.lbl.gov> Message-ID: <397D5142.B1C774BD@attcanada.net> Vern Paxson wrote: > > > I am trying to run bro on a Linux 2.2.14 intel box. If I try to use any > > of the ".bro" file, I get this error : > > > > hot, line 33: internal error: NB-DNS error in DNS_Mgr::WaitForReplies > > Aborted > > > > Could anyone help me to correct this? > > The message means that a call to nb_dns_activity() (in nb_dns.c) is > failing. Unfortunately, this problem isn't familiar to me, so you'll have > to use a debugger to find out what's going on. I don't know how difficult > that will be. > > Vern I have experienced a similar problem before when using bro on linux (Do so at your own peril better to use *BSD). If the box your using it on is a router and there is no internet connectivity. This happens because bro needs to be able to resolve several host names present in the .bro files (if there unmodified) line 33 of hot calls for the resolution of ns.lbl.gov for instance. The resolution to this is to customize the .bro files for your site, the values in the .bro files are place holders (that was the intention right?) so that you can change the value to something site specific. On a somewhat related subject Mr. Paxon if you have finished the user manual I would be very interested in seeing it. Thanks, Jonathan From mazequest at hotmail.com Tue Jul 25 07:40:53 2000 From: mazequest at hotmail.com (Kyle C Quest) Date: Tue, 25 Jul 2000 14:40:53 GMT Subject: Gigabit link monitoring Message-ID: <20000725144055.52679.qmail@hotmail.com> >What's crucial is the make-up of the traffic: how much is there, how much >of it matches the filter, and what sort of analysis has to be performed >for the captured traffic. Right. I just assumed a high load gigabit network where one bro would need to do a lot of processing. Anyway, having several bros monitoring different traffic would also help... >We currently have several Bro's monitoring GigEther links. They don't >usually have trouble keeping up, and this is running on old hardware. >However, even LBL's access link is nowhere close to saturated. ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From StasK at narus.com Tue Jul 25 11:06:25 2000 From: StasK at narus.com (Stas Khirman) Date: Tue, 25 Jul 2000 11:06:25 -0700 Subject: Gigabit link monitoring Message-ID: Did somebody have information on the number of packets per second successfully processed by Bro? Stas Khirman -----Original Message----- From: Kyle C Quest [mailto:mazequest at hotmail.com] Sent: Tuesday, July 25, 2000 7:41 AM To: bro at lbl.gov Subject: Re: Gigabit link monitoring >What's crucial is the make-up of the traffic: how much is there, how much >of it matches the filter, and what sort of analysis has to be performed >for the captured traffic. Right. I just assumed a high load gigabit network where one bro would need to do a lot of processing. Anyway, having several bros monitoring different traffic would also help... >We currently have several Bro's monitoring GigEther links. They don't >usually have trouble keeping up, and this is running on old hardware. >However, even LBL's access link is nowhere close to saturated. ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From vern at ee.lbl.gov Tue Jul 25 12:41:28 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 25 Jul 2000 12:41:28 PDT Subject: Gigabit link monitoring In-Reply-To: Your message of Tue, 25 Jul 2000 11:06:25 PDT. Message-ID: <200007251941.e6PJfSJ26591@daffy.ee.lbl.gov> > Did somebody have information on the number of packets per second > successfully processed by Bro? It depends on how you want to cook the figure. It runs routinely on a link here with about 12,000 pps sustained, and peaks of 18,000 pps. (Well, used to; due to a topology change, the links I now routinely run it on have lower rates.) But it filters out a whole lot of the traffic. The number quoted in the revised Bro paper was one test showing it sustained 730 filtered packets/sec sustained, with peaks of 1,200 pps, without drops (it's possible it could have accommodated more, that was the highest-volume traffic stream I had convenient). This was measured in 1998 on what is now very modest Intel hardware. I haven't stressed tested it on higher streams, so don't have a good upper figure. Clearly, I should do that, in my copious spare time ... Vern From vern at ee.lbl.gov Tue Jul 25 12:42:43 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 25 Jul 2000 12:42:43 PDT Subject: DNS In-Reply-To: Your message of Tue, 25 Jul 2000 02:35:14 PDT. Message-ID: <200007251942.e6PJgi926608@daffy.ee.lbl.gov> > I have experienced a similar problem before when using bro on linux (Do > so at your own peril better to use *BSD). If the box your using it on is > a router and there is no internet connectivity. This happens because bro > needs to be able to resolve several host names present in the .bro files > (if there unmodified) > line 33 of hot calls for the resolution of ns.lbl.gov for instance. The > resolution to this is to customize the .bro files for your site, the > values in the .bro files are place holders (that was the intention > right?) so that you can change the value to something site specific. Thanks for the tip. Yes, the intention is that all the hostnames in the .bro files are place holders, to illustrate how you might use the various policy tables. > On a somewhat related subject Mr. Paxon if you have finished the user > manual I would be very interested in seeing it. I haven't, but keep those letters coming, the thought that people are interested in reading it does indeed help squeeze out the cycles for working on it. Vern From eric.gauthier at orange.ch Thu Jul 27 08:49:32 2000 From: eric.gauthier at orange.ch (Gauthier Eric) Date: Thu, 27 Jul 2000 17:49:32 +0200 Subject: Hardware characteristic Message-ID: <0104847773B2D3119AA300105AF2E18E42C8BF@vdlaexc3.orange.ch> Hello everybody, What are the characteristics to look at when buying hardware to run Bro on? Which values do you suggest to monitor a 100Mbps link or a Gigabit link? - processor clock frequency - processor cache - memory - number/capacity of hard disks Thanks Eric From vern at ee.lbl.gov Sun Jul 30 10:28:50 2000 From: vern at ee.lbl.gov (Vern Paxson) Date: Sun, 30 Jul 2000 10:28:50 PDT Subject: Hardware characteristic In-Reply-To: Your message of Thu, 27 Jul 2000 17:49:32 +0200. Message-ID: <200007301728.e6UHSo105673@daffy.ee.lbl.gov> > What are the characteristics to look at when buying hardware to run Bro on? Something that can run an OS that supports kernel BPF. E.g., FreeBSD, NetBSD, BSDi, Tru64. There are no doubt others, and I believe there's a kernel BPF port for Linux in the works, but I don't know if anyone is shipping it. > Which values do you suggest to monitor a 100Mbps link or a Gigabit link? The key is not the link speed so much as the traffic volume over that link, and, in particular, the volume of traffic accepted by the packet filter. In the past, we've successfully monitored some medium-sized sites (2000 users) with 400 MHz Pentiums running FreeBSD. You should have a good amount of memory, say 256 MB or more. If you have a few hundred users, then a vanilla 9 GB will probably work fine. If you have a lot more, then larger drives. It also depends on how long a record you want to keep on-line. (Experience shows you'll at least want a week, to allow retrospective analysis of activity.) We use the CCD driver under FreeBSD to stripe several drives together into one large, fast partition, and also have an off-line archive machine that we keep everything other than the raw traces for quite a ways back. Vern